* Developed by Derrick Brashear and Ken Hornstein of Sine Nomine Associates,
* on behalf of Stanford University
* Extensive modifications by Russ Allbery <eagle@eyrie.org>
- * Copyright 2006, 2007, 2009, 2012, 2013
+ * Copyright 2006, 2007, 2009, 2012, 2013, 2014
* The Board of Trustees of the Leland Stanford Junior University
*
* See LICENSE for licensing terms.
#ifdef HAVE_CDB_H
# include <cdb.h>
#endif
+#ifdef HAVE_SQLITE3_H
+# include <sqlite3.h>
+#endif
#include <stddef.h>
#ifdef HAVE_KRB5_PWQUAL_PLUGIN_H
#define ERROR_ASCII "password contains non-ASCII or control characters"
#define ERROR_DICT "password found in list of common passwords"
#define ERROR_LETTER "password is only letters and spaces"
+#define ERROR_MINDIFF "password does not contain enough unique characters"
#define ERROR_SHORT "password is too short"
#define ERROR_USERNAME "password based on username or principal"
* checking for at least the MIT plugin.
*/
struct krb5_pwqual_moddata_st {
+ long minimum_different; /* Minimum number of different characters */
long minimum_length; /* Minimum password length */
bool ascii; /* Whether to require printable ASCII */
bool nonletter; /* Whether to require a non-letter */
#ifdef HAVE_CDB_H
struct cdb cdb; /* Open CDB dictionary data */
#endif
+#ifdef HAVE_SQLITE3_H
+ sqlite3 *sqlite; /* Open SQLite database handle */
+ sqlite3_stmt *prefix_query; /* Query using the password prefix */
+ sqlite3_stmt *suffix_query; /* Query using the reversed password suffix */
+#endif
};
BEGIN_DECLS
*
* If not built with CDB support, provide some stubs for check and close.
* init is always a real function, which reports an error if CDB is
- * requested.
+ * requested and not available.
*/
krb5_error_code strength_init_cdb(krb5_context, krb5_pwqual_moddata);
#ifdef HAVE_CDB
krb5_error_code strength_check_cracklib(krb5_context, krb5_pwqual_moddata,
const char *password);
+/*
+ * SQLite handling. strength_init_sqlite gets the database configuration and
+ * sets up the SQLite internal data, strength_check_sqlite checks a password,
+ * and strength_close_sqlite handles freeing resources.
+ *
+ * If not built with SQLite support, provide some stubs for check and close.
+ * init is always a real function, which reports an error if SQLite is
+ * requested and not available.
+ */
+krb5_error_code strength_init_sqlite(krb5_context, krb5_pwqual_moddata);
+#ifdef HAVE_SQLITE
+krb5_error_code strength_check_sqlite(krb5_context, krb5_pwqual_moddata,
+ const char *password);
+void strength_close_sqlite(krb5_context, krb5_pwqual_moddata);
+#else
+# define strength_check_sqlite(c, d, p) 0
+# define strength_close_sqlite(c, d) /* empty */
+#endif
+
/* Check whether the password statisfies character class requirements. */
krb5_error_code strength_check_classes(krb5_context, krb5_pwqual_moddata,
const char *password);